Reporting – CompTIA Security+ SY0-401: 3.6

If you can’t see a problem, then you can’t fix it. In this video, you’ll learn how reporting can help you create and maintain a security computing environment.

<< Previous Video: Security PostureNext: Detection vs. Prevention >>

One good way to mitigate or even prevent certain attacks from occurring is to have as much information available as possible. Unfortunately, a lot of the devices on our networks can give us a lot of metrics and a lot of details about what’s going on. You’ve got content and information that you can gather from your firewalls, from your IPS systems, from your routers, your switches. You’ve got information from your servers and other devices.

The challenge, of course, is what you do with that information. If you want to be able to at least get an idea of what’s going on, you’ll need to decide what you want to look for. What are the metrics that are most important for you?

From a security perspective, you might want to look at throughput, you might want to see the number of authentications or attempted authentications that are occurring over a certain time frame. Maybe you’d like to watch the CPU utilization of a server so that you can see exactly when the heaviest loads might be. If a server is one that you would not expect a heavy load, that will be a good time to find out when something changed.

So we need to think about thresholds for these metrics that we’ve created. Do we want to see if a device is up or down? Do we want to understand what particular threshold we want to know about with that CPU utilization? Perhaps you never want to be informed about CPU utilization unless it goes above 70%, because this server should never be doing that.

Or what about temperature? What about network throughput? There are literally thousands and thousands and thousands of possible metrics that you could be gathering and creating thresholds for. But you have to figure out which ones are most important for you and your environment and the type of applications that you’re using. Once you identify these metrics and you’ve set thresholds for them, you absolutely need to be informed when those thresholds are exceeded, and you need to find out the best way to contact you.

Maybe if you carry phone around all the time, you get an SMS message. If you’re an email type person, maybe you’re emailed immediately. There’s pluses and minuses to any type of disposition system. So you might want to even combine different ones together so that you not only get a text page, but you also get an email sent to perhaps a number of different people.

That way, it’s not just one person informed. If you exceed a threshold and it is an important threshold, you can inform a large number of people at one time. If we’re busy collecting all of these data points about CPU utilization and number of authentications and identification of when the network thresholds, the network throughputs are going up and going down, it will be really great to be able to track this over time.

So a lot of the monitoring systems that you’ll find also include a way to be able to create some trend reports. It’s very, very difficult to get a high level, a big picture view of what’s going on, unless you can put it into a form where you can look at a lot of it in one place. And these graphical representations of what’s going on really do tell a story.

You can see exactly when traffic is getting higher. You can see when traffic is getting lower. You can understand why you exceeded a particular threshold. Otherwise, you’d have to pour through pages and pages and pages of log files. And at the end of the day, you probably still wouldn’t have the same perspective of things like network throughput or any of the other metrics, unless you’re able to put it into a graphical form.

You want to also look at how often you’re going to monitor these devices, what timeframe you want to report on this information. Maybe you want to poll a device every minute to get a metric from it, maybe every five minutes, maybe every hour. And of course, there are advantages and disadvantages to doing either one of those things. You also need to think about what type of reports you want.

Do you want to daily report that gives you a representation of what happened the previous calendar day? Or would you like a roll up at the end of the week that shows for the same seven day period, tell me an idea of what happened during that seven days? Obviously, the more data we put into a single report, the harder it is to get a lot of the granular your out of it.

But now you can make a decision about just how much data is important for you and exactly what type of information you would like to be able to see over what time frame. Just remember that when you start collecting data, you are absolutely going to be collecting a lot of information. So very often, these visualizations tools, these polling devices that we have are able to age out the information as we go.

So we might keep one minute intervals for 30 days. But after 30 days, take this one minute intervals and average them out to an hour and simply store the hours information. That way, we’re getting rid of a lot of data points and a lot of storage and really summarising information over a longer time frame. Sometimes you’ll need to be able to set those particular roll ups yourself, those aging out of that data yourself. And you need to think about how long you need those raw statistics.

If somebody six months from now wants to know a minute by minute breakdown of what occurred during that time frame, then you’re going to need to keep that raw data over a much longer period of time. And think about also exactly what security metrics you would like to look for. You want to be able to understand if there was an increase in malware activity, if you’re getting more spam coming into your environment, maybe your spam reporting system can tell you that there’s a big uptick in spam.

And maybe that will put you on alert for a little more phishing activity. Maybe you want to see how many devices on your network have received the patches, or perhaps more importantly, what devices did not get patched in the latest update.

And sometimes, an increase in bandwidth can lead you into more information about what might be going on in your environment. A good example of this is in May of 2011, a company called LastPass, they create a digital wallet where you can store all of your passwords encrypted in one place. They were looking at their logs, they were looking at their reporting system, and they noticed an anomaly in traffic that was increased from a particular server.

This is a server that contained sensitive information. It contains our password data. And they noticed that there was a little bit of an uptick in the amount of traffic transferred. And of course, when they see that, they take into account perhaps the internal systems that they have. There’s backup systems and testing systems that they use.

And they went back and looked at their logs and realized this wasn’t us. This was not our internal systems. This perhaps could have been someone else in our systems transferring information, sensitive customer information. And that was a bit of a problem for them. So they were very forthcoming.

They got a public message out on their blog. They tweeted information about this with all of the details of what they saw. They had no evidence that there was a bad guy who’d gotten this information. They had not seen this information being used elsewhere.

The information itself was encrypted. But it pointed to the potential for problems. And they wanted to mitigate any issues. So they required immediately that everybody change their password. If you use the LastPass system, you’re going to need to change your password immediately so that if somebody could grab that encrypted data and then decrypt it and find all of our passwords, they could try them. But they still wouldn’t be able to get in and use the information stored on LastPass.

But that certainly spoke to a much bigger issue. And when you’re thinking about monitoring your systems, finding out different thresholds and understanding what to look at over time, think about those security concerns and what you can do to help prevent some of these security problems.